Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1647
Views
25
Helpful
9
Replies

Help with DMZ Interface

Go to solution
dougken444
Level 1
Level 1

‎05-06-2016 12:28 PM - edited ‎03-12-2019 12:43 AM

I am fairly new to the ASA world. I ran out options, and turning to experts here for help. I have an ASA 5506-X with 4 interfaces. ASA is running OS 9.4(2) and I am using ASDM to configure everything. ASDM is version 7.6

Interface 1: Outside Network 1 Verizon

Interface 2: Inside Network

Interface 3: Outside Network Comcast

Interface 4: DMZ 192.168.1.0/24

There are two outside networks, in case one goes down, it fails over to the second one.

Aside from these interfaces, ASA is also used for VPN connectivity.

My Problem: I have an Skype for Business Edge Server that I would like people to access from outside. The server is connected to the DMZ and has 3 Private IPs Nated to Public IPs. I have created the NAT rules and the server is connected to the internet (meaning i can go on the server and surf the web). I can't for some reason ping the server or connect to it from outside using any of the 3 public IPs. I have opened the necessary ports using ACL, but still no luck. Any idea on how I could get this up and running? I really appreciate any help with this. Like I said, I have researched this a lot and I couldn't find any solutions. I apologize if this question has already been asked.

Config attached

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rishabh Seth
Level 7
Level 7
In response to dougken444

‎05-09-2016 11:16 AM

Hi Doug,

ACLs are evaluated only once while creation of the connection. So while creating acls keep in mind the direction in which they are applied and evaluate packet flow based on the direction of traffic from source to destination and create appropriate acls to allow traffic.

For example; assume there are two interfaces Inside and Outside. There is an acl acess_in on inside interface in IN direction and there is a acess_out acl on outside interface in OUT direction. If traffic from in to out needs to be allowed then access_in and acess_out both should allow traffic. 

So basically evaluate how your ASA is configured and accordingly allow traffic. You can also use packet tracer utility to check the cause of drop and rectify configuration.

Thanks,

RS

View solution in original post

9 Replies 9

Go to solution
Rishabh Seth
Level 7
Level 7

‎05-06-2016 01:59 PM

Hi,

Based on your configuration the acl applied on the Comcast interface will allow only RDP to specific hosts from the outside. You should check the Comcast_access_in all and permit traffic for Skype server. 

You have mentioned that you have dual ISP and one ISP act as backup for the other, so you should add nat for backup ISP as well or else servers won't be accessible if one of the ISP is down.

Hope it helps.

Thanks,

RS

Rate if this helps in resolving your query.

Go to solution
dougken444
Level 1
Level 1
In response to Rishabh Seth

‎05-09-2016 09:00 AM

Hi Rishabh, 

I tried adding the DMZ_subnet network object to the Comcast_access_in acl and allowed any traffic. it still didn't work. The Comcast interface that is setup only includes one of the IP addresses I have. How do I add the other 4 IP addresses to the interface? 

0 Helpful

Go to solution
Rishabh Seth
Level 7
Level 7
In response to dougken444

‎05-09-2016 10:03 AM

Hi Doug,

You can create nat rules using different public IP addresses. ASA allows only one up address on an interface. So you can identify the type of nat(static/dynamic) that is required for your network and configure it with public IP addresses.

I hope this will help you in right direction, in case my understanding of you requirement is wrong then feel free to correct me.

Thanks,

RS

Rate if the post helps.

Go to solution
dougken444
Level 1
Level 1
In response to Rishabh Seth

‎05-09-2016 10:18 AM

I did create static NATs where I nated the private IPs to public IPs. For example, I created a network object called DMZ-Edge-Access-INT that has a private IP of 192.168.x.x then I nated that to another network object called DMZ-Edge-Access-EXT that has a public IP address. 

So the configuration was created this way: 

ASA-5506-ASA(config)# object network DMZ-Edge-Access-INT
ASA-5506-ASA(config-network-object)# host 192.168.x.x
PASA-5506-ASA(config-network-object)# nat (DMZ,COMCAST) static DMZ-Edge-Access-EXT

So in the ACL list should I create a rule like the one below?

ASA-5506-ASA(config)# access-list COMCAST_access_in extended permit tcp any object DMZ-Edge-Access-EXT eq https
0 Helpful

Go to solution
Rishabh Seth
Level 7
Level 7
In response to dougken444

‎05-09-2016 10:32 AM

Hi Doug,

Ensure that you are using real IP in the acl as the nat translation will happen before acl evaluation.

Thanks,

RS

0 Helpful

Go to solution
dougken444
Level 1
Level 1
In response to Rishabh Seth

‎05-09-2016 10:38 AM

Thank you very much for your prompt response. Should I create the same rules on the DMZ interface acl, or the comcast one will suffice? 

0 Helpful

Go to solution
Rishabh Seth
Level 7
Level 7
In response to dougken444

‎05-09-2016 11:16 AM

Hi Doug,

ACLs are evaluated only once while creation of the connection. So while creating acls keep in mind the direction in which they are applied and evaluate packet flow based on the direction of traffic from source to destination and create appropriate acls to allow traffic.

For example; assume there are two interfaces Inside and Outside. There is an acl acess_in on inside interface in IN direction and there is a acess_out acl on outside interface in OUT direction. If traffic from in to out needs to be allowed then access_in and acess_out both should allow traffic. 

So basically evaluate how your ASA is configured and accordingly allow traffic. You can also use packet tracer utility to check the cause of drop and rectify configuration.

Thanks,

RS

Go to solution
dougken444
Level 1
Level 1
In response to Rishabh Seth

‎05-13-2016 07:28 AM

Thanks for your help sir! 

0 Helpful

Go to solution
David_Che
Level 1
Level 1

‎05-08-2016 10:00 PM

As far as I know, access from lower security level interface(outside) to higher interface(inside) is denied by default unless ACL explicitly permission is defined.

You need to configure ACLs to permit any service which DMZ server would provide, including ICMP message to troubleshooting.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card